Rule checker - firewall audit
-
Hi
I recently took over a pfsense box on a rather big network. Lots of aliases, lots of subnets and vlans.
I have been ordered to do an audit, and the rules are such a mess, that it almost seems like an impossible task.
A tool that would really help me, would be a piece of software, that are able to check ip/net for connectivity. This would enable me, to quickly get a list of ip adresses / ports that a specific ip is allowed to communicate with.
Have any of you heard about such software?
If not, are anyone interested in collaborating on making that software? I'm an sort of skilled PHP programmer.Thanks for your time guys!
Kasper
-
Usually the use of aliases help make it easier to understand. Is it really the case that the rules are a "mess", or is it that you are having a hard time understanding what they are doing? I doubt you will get much response for the project you propose, but we're more than happy to help you figure out your rules.
-
@KOM:
Usually the use of aliases help make it easier to understand. Is it really the case that the rules are a "mess", or is it that you are having a hard time understanding what they are doing? I doubt you will get much response for the project you propose, but we're more than happy to help you figure out your rules.
Thanks for your answer. But they are a mess. It's not just me who are having troubles understanding them. They're a mess. :)
-
I suspect a manual audit is your only option. Validate everything one by one.
-
How many rules you talking about? So your wanting a tool like nipper? https://www.titania.com/nipperstudio
Yeah I don't think they have support for pf..
-
How many rules you talking about? So your wanting a tool like nipper? https://www.titania.com/nipperstudio
Yeah I don't think they have support for pf..
I would say around 5000 rules.
-
5000?? That just seems insane..
Yeah an audit is in order along with a restructure and simplification most likely…
-
Not exactly what you are looking for, but maybe this will help to identify rules with no hits:
https://forum.pfsense.org/index.php?topic=97925.msg545345#msg545345 -
Hey Kasper,
I feel your pain when it comes to dealing with a chaotic firewall rule set. Managing a complex network with numerous aliases, subnets, and VLANs can be a real headache. While I haven't come across a specific software that does precisely what you're looking for, I can offer some advice based on my experience.
You might want to consider breaking down the audit into manageable steps. Start by documenting the existing rules, identifying any overlaps or conflicts, and cleaning up unnecessary rules. Then, focus on testing connectivity between specific IP addresses and ports manually. While it's a labor-intensive process, it will give you a thorough understanding of your network's security posture.
Collaborating on developing a software tool for this purpose could be an excellent idea, especially if you have PHP skills. You could create a custom solution tailored to your network's needs. Just remember that such a tool might require ongoing maintenance to stay effective as your network evolves.
-
if you get to the console, get the output of:
pfctl -srThat will give you the rules as applied (macros and aliases as expanded), in the order they are evaluated. Keep in mind pf is "last match wins" and the keyword "quick" short circuits the rest of the evaluations on a match.
-
Manual checklist: A list of criteria to manually review your firewall rules against.
Automated tool: A software application that scans your firewall configuration and automatically identifies potential issues.
Compliance with company security policies: Do your rules align with your organization's overall security strategy?
Can you share your firewall configuration file or provide access to the firewall itself?
